Defending Against DDOS (Distributed Denial-of-Service)

Eric Vanderburg

The site is down! These are haunting words for most businesses, and today’s topic: the DDoS (Distributed Denial-of-Service) attack. This particularly nasty type of attack attempts to disrupt the availability of systems by overwhelming servers, saturating bandwidth or through other techniques. Your business is most likely heavily reliant upon specific systems and this article provides an overview of the DDoS attack that could potentially take these key systems down and techniques for combating the DDoS.

It is best to understand what the DoS and DDoS attacks are and how they work before discussing how to combat them. DoS (Denial of Service) attacks disrupt the availability of key information systems so that legitimate users cannot access these resources. The DDoS attack accomplishes the same thing by using a distributed set of computers or “bots” or “zombies” and it is extremely powerful because it is using the power of thousands of computers and the bandwidth of many networks to perform the attack. Both the DoS and DDoS result in lost sales, lost customer confidence, reduced productivity or increased work for support staff. So how does the DDoS attack work?

Understanding the DDoS

DDoS attacks rely on the power of many distributed machines so the first part of a DDoS attack is assembling an army of bots. Using automated tools, attackers scour the Internet in search of vulnerable machines that are exploited and turned into bots by installing software on them that waits for commands from a command and control server. These bots are used to enslave other bots until a sufficient army is assembled for the attack.

The attacker is now ready to initiate an attack with their bot army. Attacks are initiated automatically or semi-automatically. Automatic attacks already have the target programmed into them by the attacker so the attack takes place as soon as the bot army is assembled. This minimizes interaction the attacker has with the bot army and makes it more difficult for him or her to be identified. In semi-automatic attacks, instructions are sent to the bot army by the attacker through command and control servers once the bot army is assembled.

Some DDoS attacks called protocol attacks target a specific protocol or vulnerability and others use brute-force. Protocol attacks take advantage of a bug in the software or a feature of the communication to tie up resources of the target so that legitimate traffic cannot be serviced. Brute-force attacks bombard the system with otherwise seemingly legitimate transactions. Protocol attacks would seem like the more advanced method but they can be stopped by altering the system to remove the bug or changing the way the system operates so that the feature cannot be exploited. The brute-force attack is no different from legitimate traffic except for its increased volume so it is more difficult to combat.

So what can you do to prevent or mitigate DDoS? We have selected five practical things you can do to protect against a DDoS attack.

Infrastructure Improvements

First, consider increasing bandwidth and server performance. DDoS attacks attempt to overwhelm available resources so additional resources will allow you to withstand greater attacks. This involves having more server space or bandwidth than necessary. Such over-provisioning addresses the number one problem brought on by a DDoS attack, link and equipment saturation. Unfortunately, it can be difficult to determine how much extra hardware and bandwidth is necessary to sustain an attack as even some of the largest companies have succumbed to DDoS attacks. When attacks fail, attackers often gather a larger bot army and try again.

Another way to protect your data against a DDoS attack is through real-time monitoring. Real-time monitoring can identify a DDoS attack early. Such a system must be actively monitored so that action can be taken quickly to resolve the situation. DDoS attacks can ramp up quickly so administrators might not have much time to respond once an alert comes in. Integration of site and device monitoring with SIEM can leverage existing technology to protect against this attack.

It should be noted that not all DDoS attacks happen immediately. Some attacks develop slowly so that they will not be noticed as easily. They gradually increase the number of requests made to resources until the resources become unavailable. It is important to have baselines of system performance and expected use so that these can be compared to active data in order to classify traffic as legitimate or a potential DDoS attack.

Consider monitoring log file sizes and growth rates. Some monitoring tools will create a more critical event and alert when a large number of informational events are generated so that administrators can stay on top of problem areas. Informational events might not appear in reports and individually they would not indicate a problem but collectively they could indicate a DDoS attempt or some other hacking activity.

Log Maintenance

Genuine users and DDoS attacks both log server events and this can cause some services to reject connections if the log fills up. As mentioned earlier, log file growth rates and sizes could indicate an attack but in order to prevent a full log from making a system unavailable you can either increase log file sizes, archive logs, or roll the logs over. If systems are set to refuse connections when the log is full you should not implement log rollover because the refusal is a security mechanism meant to prevent unauthorized access. In this case you should either use archiving or larger log files to keep servers available.

Community

Finally, information security departments can work closely with the botnet hunter community. DDoS attacks rely on bots to perform their work, but if the bots are known about, control of the bots can potentially be wrested out of the attacker’s hands. Knowing who to call that can nip the attack in the bud rather than allow it to get too big can save valuable time and effort. Know who to call at your upstream service provider to help filter attacks. Your Internet provider might have specialized equipment to help reduce DDoS attacks so put a plan in place to work with them to stop the attack.

The DDoS is an outside invasion, but not one that looks to install or plant something within the company in order to gain information. Instead, this type of attack constantly hits the server with requests that business is halted. DDoS can cause a lot of damage to organizations that rely on the availability of key information systems. That is why we have outlined the above five activities that can mitigate the effects of an attack.